On 01/17/2012 11:00 AM, Anne Wilson wrote:
On 16/01/12 13:55, Török Edwin wrote:
On 01/16/2012 03:53 PM, Anne Wilson wrote:
I run clamav on my mail server, and my daughter runs clamwin on
Windows 7, on my recommendation. This morning's scan showed midi
files that have been on my server for 2 years or more as being
infected, e.g.:
/Data1/Midi/AudigyCD/SYMPHONY.MID: BC.Exploit.CVE_2012_0003 FOUND
Soon after reading this, I got a phone call from my daughter saying
that clamwin had quarantined all midi files supplied in the
Creative Soundblaster X-Fi installation. The screenshot she sent
me shows nothing but the midi files.
Please submit some of those false positives here (make sure you
choose the 'A false positive' radiobox):
http://cgi.clamav.net/sendvirus.cgi
Thanks. I've done that. I was careful to mark it as "a false positive"
but got the message "This virus is already recognized by ClamAV
0.97.3/14314/Mon Jan 16 " - I assume that I can ignore that?
I'll submit one from her Windows box as soon as she emails it to me.
I have told her not to worry for now, but is there a way to mark
these as not infected and remove them from quarantine?
Create a file called local.ign2 in your database directory and add
this line to it: BC.Exploit.CVE_2012_0003
Done that too. Thanks for the prompt reply. I'm not very familiar with
Windows' organisation of this sort of thing, so can you suggest where I
should tell her to put the ignore file? Should she just search for
daily.cld to find the directory, or is it labelled some other way in
Windows?
daily.cld or daily.cvd. Not sure where ClamWin puts its database directory,
perhaps in Application Data.
The offending bytecode was dropped in the meantime, so the false positive
detections should've stopped
for now.
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
